Skip to content

Ransomware gangs move to partial encryption to avoid detection

  • by
  • 2 min read

Security researchers over at Sentinal Labs have discovered a growing number of ransomware gangs using a new tactic which involves partially encrypting the victim’s files, speeding up the encryption process and reducing detection chances simultaneously. 

The tactic is intermittent encryption and only encrypts parts of the targeted files. The data is still unrecoverable without the decryption key. Since the decryption isn’t as aggressive, most automated detection tools that use intense IO operations to detect ransomware are likely to fail. 

According to Sentinal Labs’ report, the tactic was first employed by LockFile in mid-2021 and has since been adopted by Agenda, Black Basta, ALPHV (also known as BlackCat), PLAY and Qyick to name a few. 

Most groups are adding their own twists to the technique as well. For example, Agenda offers intermittent encryption as an optional mode with three different encryption types that either skip a specified number of megabytes, encrypt the first specified megabytes of the file or skip a percentage of the file size.

Ransomware gangs move to partial encryption to avoid detection
Agenda Ransomware’s ‘help’ screen detailing the different encryption types available. | Source: Sentinal Labs

BlackCat also gives operators different choices when it comes to encryption, similar to Agenda and Qyick’s Go-based encryptor, which works at an ‘unmatched’ speed, as advertised by the group itself on a hacker forum post. PLAY’s implementation breaks the file into two, three or five chunks depending on the file size and encrypts every alternate chunk. Black Basta doesn’t give any choices to the operators as the strain itself decides what to do based on the target file’s size. 

The tactic doesn’t have any downsides, meaning experts believe that more gangs will adopt this approach in times to come. That said, the implementation needs to be done correctly to ensure data recovery isn’t easy at the very least. Currently, BlackCat’s implementation seems to be the most sophisticated, while analysts are yet to determine how effective Qyick’s approach is as samples of the ransomware aren’t yet analysed. 

In the News: Indian government to crackdown on illegal loan apps in the country 

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: